Apache Cassandra database software has a high-severity vulnerability that allows RCE (Remote Code Execution). The software is used for managing very large amounts of structured data across commodity servers. The vulnerability targets the system with only specific configurations related to user-defined functions.
CVSS score: 8.4
The vulnerability on Cassandra software can be tracked with CVE-2021-44521 and it has a CVSS score of 8.4, which makes it a high severity flaw. Thankfully, the flaw can only be exploited on the systems with user-defined functions are enabled. Those functions are disabled as default. If the “cassandra.yaml” configuration file contains the definitions below, the system is vulnerable to CVE-2021-44521:
The vulnerability has been found and explained by the researchers of JFrog. According to the whitepaper written by Omer Kaspi, enable_user_defined_functions_threads: false line is the key to the vulnerability. Omer Kaspi, Security Researcher at JFrog said;
Omer Kaspi, Security Researcher at JFrog
« When enable_user_defined_functions_threads is set to false, our UDF code runs in the daemon thread, which specifically has the permission to invoke setSecurityManager. This immediately allows us to turn off the security manager, so now we just need to bypass the class filtering mechanism.
When running JavaScript code on top of Nashorn we can use this.engine to access the Nashorn instance engine. This actually allows us to bypass any class filter by creating a new script engine, which is not restricted by the class filtering mechanism. »
Fixing this issue is possible by applying the following patches to Apache Cassandra database software:
3.0.x versions to 3.0.26
3.11.x versions to 3.11.12
4.0.x versions to 4.0.2
If updating Cassandra instances is not possible due to some integration reasons, it is also possible to mitigate the vulnerability by following the steps below:
If UDFs are not actively used, they can be completely disabled by setting enable_user_defined_functions to false
If UDFs are needed, set enable_user_defined_functions_threads to true
Remove the permissions of creating, altering, and executing functions for untrusted users by removing the following permissions by using the code below, with replacing the role_name with the desired role:
revoke CREATE ON ALL FUNCTIONS,ALL FUNCTIONS IN KEYSPACE,FUNCTION from <role_name>;
revoke CREATE ON ALL ALL FUNCTIONS IN KEYSPACE from <role_name>;
revoke CREATE ON FUNCTION from <role_name>;
revoke ALTER ON ALL FUNCTIONS,ALL FUNCTIONS IN KEYSPACE,FUNCTION from <role_name>;
revoke ALTER ON ALL ALL FUNCTIONS IN KEYSPACE from <role_name>;
revoke ALTER ON FUNCTION from <role_name>;
revoke EXECUTE ON ALL FUNCTIONS,ALL FUNCTIONS IN KEYSPACE,FUNCTION from <role_name>;
revoke EXECUTE ON ALL ALL FUNCTIONS IN KEYSPACE from <role_name>;
revoke EXECUTE ON FUNCTION from <role_name>;
